As a teenager, Daniel Kelley used to play World of Warcraft obsessively. He was heavily involved in the game’s highly-competitive Player versus Player (PvP) system, a multiplayer interactive conflict that can enable users to boost their own in-game ranking. “One day, my teammates and I noticed that we were being targeted by a DDoS attack from a player on a rival team,” says Kelley. He started digging around blogs and forums trying to find out how to fight back. “I stumbled upon a forum discussing hacking techniques.”
Kelley says his journey towards serious cybercrime started out as an offshoot of his benign interest in gaming — before rapidly growing darker. He delved deeper into online hacking forums and, over the course of several years, developed an extensive CV of criminal activities, including targeting his local college in Carmarthenshire, Coleg Sir Gar, which had failed to accept him onto its computing course.
By the age of 18, Kelley was, most famously, implicated in the 2015 breach of TalkTalk, an attack that ultimately cost the telecoms giant around £77m and compromised the personal data of over 150,000 customers. He’d already been arrested, if only for a few hours, over the Coleg Sir Gar hacks, but didn’t get off so easily the second time around. Following the TalkTalk breach, a trail of breadcrumbs he’d left in Bitcoin interest payments and virtual chat logs led teams of investigators to the doors of his home in Llanelli, Wales. He ultimately spent four years behind bars after pleading guilty to multiple cyber-offences.
Why drew Kelley to cybercrime? Looking back, the now-reformed cybersecurity consultant is convinced that the bravado of youth had more than a little to do with it. “I think it had to do with being a teenager with a limited understanding of the real-world consequences of my actions,” he says. “The abstract nature of the computer screen made it easy to detach from the reality of my actions.”
The path from ‘bored teenager’ to cybercriminal is one that many young people in the UK make, and one that the UK’s National Crime Agency (NCA) is keen to break. The organisation’s Cyber Crime Unit focuses on tackling critical cyber incidents in the UK, undermining criminal networks, and — increasingly — countering the rising numbers of young people tempted into cybercrime. But in the nebulous field of cybercrime, which often bypasses international borders, how does this actually work?
Behind the scenes
The NCA’s Cyber Crime Unit had a big win in April, when it was part of a coalition of law enforcement agencies that shut down one of the world’s biggest online criminal marketplaces. Genesis Market sold passwords, IP addresses and other personal data — enabling fraudsters to log into bank and online shopping accounts. During a series of raids, the NCA arrested 24 suspected users of the site, providing the headline-grabbing images of physical arrests are relatively uncommon in cybercrime enforcement.
Beyond eye-catching achievements like the takedown of Genesis Market, Brian Higgins thinks people misunderstand the role of the NCA. “It’s lovely to catch bad guys and put them in prison,” says the security specialist at research firm Comparitech. “But actually, if you can stop them before they start, or help the people who they’re going to target […], then you’re on to more of a broader win.”
Long before joining Comparitech, Higgins worked for the Serious Organised Crime Agency (SOCA), which was later superseded by the NCA, between 2009 and 2013. This work wasn’t particularly glamorous, consisting mainly of reading reports and staring at onscreen data, says Higgins. “Everyone thinks that law enforcement success involves doors kicked down and people carted off in handcuffs,” he explains. “But actually, in the world of cybercrime, that’s a tiny, tiny piece.”
Indeed, much of the work behind success stories like the takedown of Genesis Market involve painstaking data collection, lengthy analysis, and long meetings with international collaborators. The borderless nature of cybercrime makes teamwork essential, explains Bharat Mistry, technical director at cybersecurity firm Trend Micro. “The actual crime might happen in the UK,” says Mistry, “but the perpetrator [could be] in a country that’s on the other side of the world, where the laws are completely relaxed and there’s no jurisdiction.”
This collaboration isn’t just with rival law enforcement agencies, but also private, third-party security vendors — including Trend Micro — which gather their own threat intelligence to better defend their clients. The ongoing cybersecurity skills shortage can make it hard for government agencies and police forces to recruit specialists, but Mistry thinks this dilemma can be combated, at least in part, by enhancing public-private partnerships and industry knowledge-sharing. “They talk about it in their policy,” he says, “but I don’t think there’s enough of it and I think it could go further.”
Beyond its international collaborations, the NCA has also seen recent success from more “legally audacious” work, says Higgins. In March, the NCA announced that it had infiltrated online criminal marketplaces by setting up fake sites purporting to offer DDoS-for-hire services. Distributed Denial of Service (DDoS) attacks, which flood a server with internet traffic, are illegal in the UK under the Computer Misuse Act of 1990, but they’re still pretty common. DDoS-for-hire services enable users to set up attacks relatively easily — even without any technical knowledge.
When unknowing users registered to the NCA’s ‘honeypot’ sites, they handed their data over to investigators. Users based in the UK were then, per the agency’s statement, contacted by law enforcement officers and warned about engaging in cybercrime. According to Kelley, this kind of straightforward warning could mean that bored teenagers get the shock they need to divert their efforts towards legal outlets.
The kids aren’t alright
Beyond direct engagement with pre-existing crime, the NCA has also launched its own educational campaign to prevent young people from ever starting out on illicit hacking. Tech-savvy teenagers are a large potential demographic for cybercrime, but also one that law enforcement agencies hope can be redirected towards more legitimate activities without too much resistance. According to a 2022 report by the NCA, the majority of referrals to the NCA Cyber Crime Unit’s Prevent team — which aims to divert individuals from cybercrime — were for secondary-school children, with the median age at 15 and the youngest at 9.
That’s where Cyber Choices, first launched in 2019, comes in. Coordinated by the NCA and delivered by a coalition of Regional Organised Crime Units and Local Police Force Cyber Teams, the campaign aims to direct teenagers with high-demand skills in coding, gaming, and cyber-security towards legitimate employment.
It also aims to simply explain the rules and regulations that surround digital behaviour, including the 1990 Computer Misuse Act. The NCA wants to clearly outline the boundaries between acceptable and impermissible online activity. “Nobody knows when their online activity becomes illegal,” says Higgins. “A lot of people are committing cybercrime because they don’t know that what they’re doing is wrong. You’ve got this whole spectrum all the way up to massive organised crime groups.” Mistry, likewise, argues that nascent cybercriminals need to be aware that their actions have real-world consequences. “Perpetrators have got to think twice about the crime that they’re committing,” he says. “I think the other thing that has to also happen is wide publicity around takedowns.”
Kelley, too, says he’s cheered by the NCA’s efforts to spread awareness and offer young people alternatives to cybercrime, but he thinks they could still go further by partnering with more private companies to offer direct routes into profitable and sustainable work. “When I engaged in cybercrime and was arrested, no authority came to me and actually presented me with an option that would have been more appealing than cybercrime at the time,” says Kelley. “I don’t think it would be hard for regional teams to partner with large companies and present the teenager with a possibility of a positive future.”
Kelley’s keen to pursue a long-term career in cybersecurity himself — this time on the legal side. “If a young person shows an interest in ethical hacking or penetration testing, we should nurture this curiosity and guide them towards productive channels like bug bounty programs.”